On Mon, 2018-01-08 at 08:51 -0800, Daniel Lenski wrote: > Perhaps the correct solution here is to turn replay protection on as a > warning but not a fatal error, as you suggest.
I've done that, which keeps things relatively simple and also means that we base 'old_esp_maxseq' on the received packet with the highest seqno, not just the most recently received packet. I added a changelog entry while I was at it :)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
